package org.elasticsearch.common.ssl;

import java.io.IOException;
import java.nio.file.Path;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Tuple;

/* loaded from: input_file:org/elasticsearch/common/ssl/StoreKeyConfig.class */
public class StoreKeyConfig implements SslKeyConfig {
    private final String keystorePath;
    private final String type;
    private final char[] storePassword;
    private final Function<KeyStore, KeyStore> filter;
    private final char[] keyPassword;
    private final String algorithm;
    private final Path configBasePath;

    public StoreKeyConfig(String str, char[] cArr, String str2, @Nullable Function<KeyStore, KeyStore> function, char[] cArr2, String str3, Path path) {
        this.keystorePath = (String) Objects.requireNonNull(str, "Keystore path cannot be null");
        this.storePassword = (char[]) Objects.requireNonNull(cArr, "Keystore password cannot be null (but may be empty)");
        this.type = (String) Objects.requireNonNull(str2, "Keystore type cannot be null");
        this.filter = function;
        this.keyPassword = (char[]) Objects.requireNonNull(cArr2, "Key password cannot be null (but may be empty)");
        this.algorithm = (String) Objects.requireNonNull(str3, "Keystore algorithm cannot be null");
        this.configBasePath = (Path) Objects.requireNonNull(path, "Config path cannot be null");
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public SslTrustConfig asTrustConfig() {
        return new StoreTrustConfig(this.keystorePath, this.storePassword, this.type, TrustManagerFactory.getDefaultAlgorithm(), false, this.configBasePath);
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public Collection<Path> getDependentFiles() {
        return List.of(resolvePath());
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public boolean hasKeyMaterial() {
        return true;
    }

    private Path resolvePath() {
        return this.configBasePath.resolve(this.keystorePath);
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public List<Tuple<PrivateKey, X509Certificate>> getKeys() {
        return getKeys(false);
    }

    public List<Tuple<PrivateKey, X509Certificate>> getKeys(boolean z) {
        Path resolvePath = resolvePath();
        KeyStore readKeyStore = readKeyStore(resolvePath);
        if (z) {
            readKeyStore = processKeyStore(readKeyStore);
        }
        return KeyStoreUtil.stream(readKeyStore, generalSecurityException -> {
            return keystoreException(resolvePath, generalSecurityException);
        }).filter((v0) -> {
            return v0.isKeyEntry();
        }).map(keyStoreEntry -> {
            X509Certificate x509Certificate = keyStoreEntry.getX509Certificate();
            if (x509Certificate != null) {
                return new Tuple(keyStoreEntry.getKey(this.keyPassword), x509Certificate);
            }
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public Collection<StoredCertificate> getConfiguredCertificates() {
        Path resolvePath = resolvePath();
        return KeyStoreUtil.stream(readKeyStore(resolvePath), generalSecurityException -> {
            return keystoreException(resolvePath, generalSecurityException);
        }).flatMap(keyStoreEntry -> {
            ArrayList arrayList = new ArrayList();
            boolean z = true;
            Iterator<? extends X509Certificate> it = keyStoreEntry.getX509CertificateChain().iterator();
            while (it.hasNext()) {
                arrayList.add(new StoredCertificate(it.next(), this.keystorePath, this.type, keyStoreEntry.getAlias(), z));
                z = false;
            }
            return arrayList.stream();
        }).toList();
    }

    @Override // org.elasticsearch.common.ssl.SslKeyConfig
    public X509ExtendedKeyManager createKeyManager() {
        return createKeyManager(resolvePath());
    }

    private X509ExtendedKeyManager createKeyManager(Path path) {
        try {
            KeyStore processKeyStore = processKeyStore(readKeyStore(path));
            checkKeyStore(processKeyStore, path);
            return KeyStoreUtil.createKeyManager(processKeyStore, this.keyPassword, this.algorithm);
        } catch (GeneralSecurityException e) {
            throw keystoreException(path, e);
        }
    }

    private KeyStore processKeyStore(KeyStore keyStore) {
        return this.filter == null ? keyStore : (KeyStore) Objects.requireNonNull(this.filter.apply(keyStore), "A keystore filter may not return null");
    }

    private KeyStore readKeyStore(Path path) {
        try {
            return KeyStoreUtil.readKeyStore(path, this.type, this.storePassword);
        } catch (IOException e) {
            throw SslFileUtil.ioException("[" + this.type + "] keystore", List.of(path), e);
        } catch (AccessControlException e2) {
            throw SslFileUtil.accessControlFailure("[" + this.type + "] keystore", List.of(path), e2, this.configBasePath);
        } catch (GeneralSecurityException e3) {
            throw keystoreException(path, e3);
        }
    }

    private SslConfigException keystoreException(Path path, GeneralSecurityException generalSecurityException) {
        String str = null;
        if (generalSecurityException instanceof UnrecoverableKeyException) {
            str = "this is usually caused by an incorrect key-password";
            if (this.keyPassword.length == 0) {
                str = str + " (no key-password was provided)";
            } else if (Arrays.equals(this.storePassword, this.keyPassword)) {
                str = str + " (we tried to access the key using the same password as the keystore)";
            }
        }
        return SslFileUtil.securityException("[" + this.type + "] keystore", path == null ? List.of() : List.of(path), generalSecurityException, str);
    }

    private static void checkKeyStore(KeyStore keyStore, Path path) throws KeyStoreException {
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            if (keyStore.isKeyEntry(aliases.nextElement())) {
                return;
            }
        }
        String str = "the " + keyStore.getType() + " keystore";
        if (path != null) {
            str = str + " [" + path + "]";
        }
        throw new SslConfigException(str + "does not contain a private key entry");
    }

    public String toString() {
        StringBuilder sb = new StringBuilder(getClass().getSimpleName());
        sb.append('{');
        String str = this.keystorePath;
        if (str != null) {
            sb.append("path=").append(str).append(", ");
        }
        sb.append("type=").append(this.type);
        sb.append(", storePassword=").append(this.storePassword.length == 0 ? "<empty>" : "<non-empty>");
        sb.append(", keyPassword=");
        if (this.keyPassword.length == 0) {
            sb.append("<empty>");
        } else if (Arrays.equals(this.storePassword, this.keyPassword)) {
            sb.append("<same-as-store-password>");
        } else {
            sb.append("<set>");
        }
        sb.append(", algorithm=").append(this.algorithm);
        sb.append('}');
        return sb.toString();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        StoreKeyConfig storeKeyConfig = (StoreKeyConfig) obj;
        return this.keystorePath.equals(storeKeyConfig.keystorePath) && this.type.equals(storeKeyConfig.type) && this.algorithm.equals(storeKeyConfig.algorithm) && Arrays.equals(this.storePassword, storeKeyConfig.storePassword) && Arrays.equals(this.keyPassword, storeKeyConfig.keyPassword);
    }

    public int hashCode() {
        return (31 * ((31 * Objects.hash(this.keystorePath, this.type, this.algorithm)) + Arrays.hashCode(this.storePassword))) + Arrays.hashCode(this.keyPassword);
    }
}
